How to Tell If Your Website Has Been Hacked
Catching a hack early limits the damage to your business and reputation.
Not every hack is obvious. While some attackers deface a site loudly, many work quietly in the background, using your website to send spam or scam your visitors while you carry on unaware.
Knowing the warning signs means you can act fast. The sooner a hack is caught, the less damage it does to your customers, your reputation, and your search rankings.
Common warning signs
Watch for content you did not add: strange pages, pop-ups, or links to unrelated, often dubious products. Your site running noticeably slower or behaving oddly can also be a clue.
You might be locked out of your own admin area, or notice unfamiliar user accounts. Sometimes the first sign is a customer or supplier telling you something looks wrong.
Signals from outside
Search engines and browsers often spot a hack before you do. A warning that your site "may be hacked" in search results, or a red browser screen telling visitors the site is dangerous, are serious red flags.
A sudden, unexplained drop in traffic can also point to a hack, as search engines may quietly demote or flag a compromised site to protect their users.
What to do about it
If you suspect a hack, act quickly. Avoid logging in over unsecured connections, change your passwords, and get professional help to clean the site properly rather than guessing.
A clean-up needs to remove the malicious code, close the weakness that let it in, and restore from a known-good backup. Skipping any step risks the hack simply returning.
What to do the moment you discover a hack
Take the site offline immediately — enable maintenance mode or ask your host to suspend the account. A hacked site that remains online can infect visitors, spread malware and be blacklisted by Google. Speed matters more than diagnosis at this first stage.
Do not restore immediately from the most recent backup — it may be compromised. Check backup timestamps against when the breach occurred and restore from the last clean version. Identify and fix the vulnerability before going back live — outdated plugins and themes account for the majority of WordPress breaches. Change all passwords: WordPress admin, FTP, database and hosting.
Common questions.
Can a website be hacked without me knowing?
What should I do first if I think I am hacked?
Can visitors get infected by malware on a hacked site without clicking anything suspicious?
Turn this into action.
The services behind this guide.
More on website care & tech.
Want a hand putting this into practice?
Book a free, no-obligation consultation with a Norwich-based specialist.
Let's put your business in a better light.
Book a free, no-pressure consultation. We'll talk through your goals and tell you honestly what we'd do — whether you work with us or not.